Government IT pros duped by a smart, pretty social profile
In an officially sanctioned "penetration test" by an undisclosed cyber security team, experts penetrated a government agency by creating a fake social profile of a woman named Emily Williams. They presented her as a smart, MIT grad working in the IT sector. They used a real woman's picture, established her "credibility" via Linkedin, Facebook, university forums, etc. Through this they quickly garnered numerous Facebook friends" and connections in LinkedIn. Once connected, they managed to deliver a virus via eChristmas and eBirthday cards. Surprisingly, the virus, a Java applet, required interaction by the connection. The targets had to "ok" the virus to be installed. Once installed the virus did its work and soon the hackers had tremendous access to systems and some classified information. The extent of information gathered by the breach is pretty amazing. What's interesting to note is the team has conducted these "penetration tests" for other organizations and by using the "social network" to validate the fake profiles. They have had the same results. They get in by using a smart, pretty face. When they used a fake male identity, they had had no success. This event was reported Wednesday at the RSA Europe security conference in Amsterdam by Aamir Lakhani who is a cyber defense specialist.
Post Script: The issue of fake social profiles is part of why we human review every submission to our site. With that in mind, we are considering an advanced paid "Verification" system that that includes not just a human review, but human interaction via phone, skype, snail mail, and notary. If you are interested in such a validation process, leave a comment below and follow us in the social networks to be notified if and when the service become available.